Monday, May 2, 2016

Strategic Surprise in Cyber

The Past Strategic Surprise

In 2011 Nicolas Waisman, Immunity's VP of South America and a highly rated exploit writer and bug finder himself, gave a keynote which examined a lot of the areas around vulnerabilities, exploits, and how to use them strategically.

This video is available here: https://vimeo.com/163699561 . I'm going to steal pictures from his talk for this blogpost but you can watch it to get the full experience. :)

Let me sum it up for you though with one question he asks which I think is a visceral experience very different from what you read in most marketing documents. He says at one point in his talk: "When was the last time you saw a real exploit?"

In order to understand that question, you have to know a bit about Nico, and his quality assurance process on "real exploits". A real exploit to Nico is essentially going to be a remote, unauthenticated heap overflow that works every time even over bad links, and cleans up after itself properly to continue execution of the remote process.

I want to put this into context so you don't think Nico is just some hacker elitist, which is probably also true, but there are not many people in the world who have led six month long multi-person projects to exploit a single vulnerability. Most exploits you know about are the result of a talented person putting in a month or less of work. Client-side exploits are a key sweet spot here because you typically have so much control over the environment as an attacker and they are easy to deploy as a commodity.

This, frankly, is where most people are in the public area. Frustration kills a lot of exploitation efforts, or reduces them to academic exercises.

But if you look at the publicly reported information to strategically examine what exploitation is, then you may as well believe everything that you can know strategically from math you can learn in your high school calculus class.

Click this picture to see HDM and JDUCK complain about how hard real exploitation is.

Exploits are hard. They were always hard and the reason you often see vulnerability "collision" in the public arena is that people are focusing on the extremely low hanging fruit as a group. But there IS a high end in the strategic area and not seeing that high end is a massive strategic hole in your thinking!

That was the point of Nico's talk. Because INFILTRATE Keynotes are about strategic vision, and Nico shared his view with all of us, much as Nate Fick shared his this year and a future blog post will analyze that as well. :)

The Future Strategic Surprise

And I'm going to follow that on with where you are going to be strategically surprised in the future, and a quick link to this year's INFILTRATE talks. The answer is simple: Man in the Middle.

None of the protocols in wide use were really hardened against MITM. It may not even be possible in many cases. And yet, QUANTUM is an example of what strategically deployed MITM can do. And inside your network, with future generations of INNUENDO, you're going to see the destruction of entire ecosystems of protocols. For example, people underestimated the impact of using deserialization functions in Java middleware and there is far too much of that to rip out or fix now.

In short, everyone laughed at Badlock. But if you have any real strategic vision of the future as a defender, you found no mirth in it at all. In other words, MITM is a hugely unexplored surface which is practically reachable even without nation-state positioning, we should all care about it as much as we care about heap overflows, which is a lot. :)

Offensive strategy is longterm, goal oriented, and forward thinking. And while that sounds like a management bullshit bingo round, forward thinking actually implies practical placement of offensive capability today, for tomorrow's landscape. If you hacked 15 years ago, and you did your job, the only vulns you use today are your own. That is strategy.